Total
329 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13517 | 1 Bd | 2 Pyxis Enterprise Server, Pyxis Es | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain. | |||||
| CVE-2019-12258 | 5 Belden, Netapp, Siemens and 2 more | 50 Garrettcom Magnum Dx940e, Garrettcom Magnum Dx940e Firmware, Hirschmann Dragon Mach4000 and 47 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options. | |||||
| CVE-2019-12203 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 3.7 LOW | 6.3 MEDIUM |
| SilverStripe through 4.3.3 allows session fixation in the "change password" form. | |||||
| CVE-2019-11213 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Pulse Connect Secure, Pulse Secure Desktop Client | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3. | |||||
| CVE-2019-10371 | 1 Jenkins | 1 Gitlab Oauth | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |||||
| CVE-2019-10158 | 2 Infinispan, Redhat | 2 Infinispan, Jboss Data Grid | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. | |||||
| CVE-2019-10120 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154. | |||||
| CVE-2019-10084 | 1 Apache | 1 Impala | 2024-11-21 | 4.6 MEDIUM | 7.5 HIGH |
| In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. Session and query IDs are unique and random, but have not been documented or consistently treated as sensitive secrets. Therefore they may be exposed in logs or interfaces. They were also not generated with a cryptographically secure random number generator, so are vulnerable to random number generator attacks that predict future IDs based on past IDs. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. | |||||
| CVE-2019-10045 | 1 Pydio | 1 Pydio | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active). | |||||
| CVE-2019-10008 | 1 Zohocorp | 1 Servicedesk Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab. | |||||
| CVE-2019-1003019 | 1 Jenkins | 1 Github Oauth | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | |||||
| CVE-2019-0102 | 1 Intel | 1 Data Center Manager | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | |||||
| CVE-2019-0062 | 1 Juniper | 46 Csrx, Ex2200, Ex2200-c and 43 more | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
| A session fixation vulnerability in J-Web on Junos OS may allow an attacker to use social engineering techniques to fix and hijack a J-Web administrators web session and potentially gain administrative access to the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15 on EX Series; 12.3X48 versions prior to 12.3X48-D85 on SRX Series; 14.1X53 versions prior to 14.1X53-D51; 15.1 versions prior to 15.1F6-S13, 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D180 on SRX Series; 15.1X53 versions prior to 15.1X53-D238; 16.1 versions prior to 16.1R4-S13, 16.1R7-S5; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.3 versions prior to 17.3R3-S5; 17.4 versions prior to 17.4R2-S8, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R3; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R1-S2, 19.1R2. | |||||
| CVE-2018-9082 | 1 Lenovo | 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account | |||||
| CVE-2018-9026 | 1 Broadcom | 1 Privileged Access Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A session fixation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to hijack user sessions with a specially crafted request. | |||||
| CVE-2018-8852 | 1 Philips | 1 E-alert Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. | |||||
| CVE-2018-6959 | 1 Vmware | 1 Vrealize Automation | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user's session. | |||||
| CVE-2018-6434 | 1 Broadcom | 1 Fabric Operating System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID. | |||||
| CVE-2018-5465 | 1 Belden | 134 Hirschmann M1-8mm-sc, Hirschmann M1-8sfp, Hirschmann M1-8sm-sc and 131 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A session fixation vulnerability in the web interface has been identified, which may allow an attacker to hijack web sessions. | |||||
| CVE-2018-5385 | 1 Navarino | 1 Infinity | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Navarino Infinity is prone to session fixation attacks. The server accepts the session ID as a GET parameter which can lead to bypassing the two factor authentication in some installations. This could lead to phishing attacks that can bypass the two factor authentication that is present in some installations. | |||||